The task of a compliance officer is not to “set it and forget it.” Apart from planning and advising on risk management strategies, and monitoring business implementation of the attendant policies and procedures, compliance professionals must remain vigilant about the potential for violations. Internal compliance violations can run the causal gamut – they could be because of internal controls failures, unwitting omissions due to lack of awareness, or outright misconduct and malfeasance.
Compliance officers should approach an investigation into a compliance exception thoughtfully and with careful preparation. If the planning for or administration of the investigation is flawed from the beginning then the investigation results will not be reliable. In many fields, such as scientific research, planning investigation tactics and strategy is a discipline all of its own, demanding special expertise in statistical methodology standards.
For purposes of the internal investigations of compliance officers, a common-sense approach, focused on fairness and transparency, can take the place of technical expertise in conducting informal internal investigations that will still generate reliable and meaningful results. Compliance professionals should keep the following fundamental themes in mind when designing an investigation effort:
- Reject foregone conclusions: Compliance investigation inquiries can be sensitive and intimidating. Most people do not want to do the wrong thing and will be worried or even frightened by the possibility that they have broken rules or regulations. They will fear that their jobs are at risk or worry about the reputation of the company due to the misconduct. Therefore, take the investigation seriously, even if its scope is limited or it’s routine. Don’t decide the outcome before the information is gathered. Investigations should be motivated by intellectual curiosity, in the case of annual or planned investigations, or, in the case of ad-hoc or event-driven investigations, an objective desire to protect and promote integrity, which knows no master.
- Work carefully: Sloppiness and poor preparation will doom an investigation from the beginning. Compliance professionals should work carefully and check their work as they go along. Simple errors such as directing queries to the wrong recipients or asking for information that is out of scope of the investigation can cause a terrible impression with stakeholders and disrupt the efforts of the investigation. Communication is key, and information communicated to all parties throughout the investigation should be accurate, clear, and appropriate at all times.
- Give support, not interference: Compliance often collaborates with other functions such as HR, Legal, and Risk; this collaboration should be encouraged, not complicated or avoided. In planning investigation strategy, work together with partners and stakeholders whenever possible (legal privilege and confidentiality, where it applies, must of course always be respected). Sharing information helps to make conclusions stronger and to avoid inefficient duplication of efforts.
- Follow through with enforcement when misconduct is evidenced: Investigations are toothless when the results are just put on a shelf and forgotten. Enforcement action must come next, and in every outcome, there is appropriate follow-up. In instances where misconduct is discovered, whether it is from negligence or intentional wrongdoing, disciplinary action should be taken with concrete consequences. Substantive structural changes should be made also the risk control framework to seek to prevent or identify earlier the non-compliant behaviour whenever possible. Punishing the wrongdoer is not enough; addressing the root causes of the wrong-doing has to happen too.
- Feed-forward when no malpractice is discovered: Not every investigation will be an open and shut case where there are good people and bad people and everything wraps up neatly. It may be that the investigation yields no evidence that anything material happened. It’s also possible that the investigation would show some unrelated deficiencies, such as in communication strategies or employee awareness. Finally, the investigation could produce inadvertent lessons for the compliance officer him or herself to take back to a future risk assessment and planning session. Whatever these conclusions are, don’t discard them just because they don’t lead to a punitive action. Feed them forward into risk controls improvements and future compliance program efforts.
Compliance officers who consider the above suggestions in planning their own investigation strategy will be focused on obtaining neutral, credible information. They will communicate clearly and engage stakeholders supportively. Enforcement actions stemming from the investigation efforts will be pro-active and productive. With these approaches, compliance officers can establish credibility and effectiveness in conducting internal investigations.